Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM.
The vulnerabilities have the following identifiers:
CVE-2020-8257
CVE-2020-8258
These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows before 64.35
Citrix Gateway Plug-in 12.1 for Windows before 59.16
These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms.
Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported.
The following supported versions of Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway:
Citrix ADC and Citrix Gateway 13.0 before 64.35
NetScaler ADC and NetScaler Gateway 12.1 before 59.16
Citrix ADC 12.1-FIPS before 55.190
The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows 64.35 and later versions
Citrix Gateway Plug-in 12.1 for Windows 59.16 and later versions
The latest versions of Citrix Gateway Plug-in for Windows are available from:
Mehrere Schwachstellen wurden in Citrix ADC (früher bekannt als NetScaler ADC), Citrix Gateway (früher bekannt als NetScaler Gateway) und Citrix SD-WAN WANOP Appliance-Modelle 4000-WO, 4100-WO, 5000-WO und 5100-WO entdeckt. Diese Schwachstellen können, wenn sie ausgenutzt werden, zu den folgenden Sicherheitsproblemen führen:
CVE ID
Description
Vulnerability Type
Affected Products
Pre-conditions
CVE-2020-8245
An HTML Injection attack against the SSL VPN web portal
CWE-79: Improper Neutralization of Input During Web Page Generation
Citrix ADC, Citrix Gateway
Requires an authenticated victim on the SSL VPN web portal who must open an attacker-controlled link in the browser
CVE-2020-8246
A denial of service attack originating from the management network
CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP
Unauthenticated attacker with access to the management network
CVE-2020-8247
Escalation of privileges on the management interface
CWE-269: Improper Privilege Management
Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP
An attacker must possess privilege to execute arbitrary commands on the management interface
Die Schwachstellen werden in den folgenden unterstützten Versionen behoben:
Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
Citrix SD-WAN WANOP 11.2.1a and later releases
Citrix SD-WAN WANOP 11.1.2a and later releases
Citrix SD-WAN WANOP 11.0.3f and later releases
Citrix SD-WAN WANOP 10.2.7b and later releases
Zusätzlich wurden den oben genannten Versionen von Citrix ADC, Citrix Gateway und Citrix SD-WAN WANOP Sicherheitsverbesserungen hinzugefügt, um Kunden vor Angriffen durch HTTP Request Smuggling zu schützen. Kunden können diese Verbesserungen über die Verwaltungsschnittstelle von Citrix ADC aktivieren. Weitere Informationen finden Sie unter https://support.citrix.com/article/CTX282268.
Mildernde Faktoren
Zwei der drei Schwachstellen haben ihren Ursprung in der Verwaltungsschnittstelle von Citrix ADC, Citrix Gateway und Citrix SD-WAN WANOP. Citrix empfiehlt dringend, den Netzwerkverkehr zur Verwaltungsschnittstelle der Appliance entweder physisch oder logisch vom normalen Netzwerkverkehr zu trennen. Auf diese Weise wird das Risiko der Ausnutzung stark vermindert. Weitere Informationen finden Sie unter https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html.
Problemlösung
Installieren Sie so schnell wie möglich ein der veröffentlichten Updates.
Haben Sie Fragen oder benötigen Hilfe? Kontaktieren Sie uns, wir helfen Ihnen gerne weiter.
Solution
Citrix is aware of a potential issue impacting the Citrix Broker and Citrix HighAvailability services on the Delivery Controllers and Citrix Cloud Connectors respectively with Microsoft Defender installed. Please see the following article for best practices to configure Microsoft Windows Defender: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.
On-Premises Deployment
Microsoft has released an updated Antivirus Definition 1.321.1341.0 to address this issue.
Please follow the below steps to clear the current cache and trigger an update, use a batch script that runs the following commands as an administrator:
cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
If you continue to see the issue, please follow the below workarounds:
Workaround 1
The following steps can help restore the service:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix Broker Service, the Citrix High Availability Service and the Citrix Configuration Sync service.
Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.
Reboot the Citrix Delivery Controller machine
Try the below steps if the above workaround does not resolve the issue.
Workaround 2
Mount the Citrix Virtual Apps and Desktop ISO.
Navigate to the «\x64\Citrix Desktop Delivery Controller» folder.
Right Click Broker_Service_x64.msi and choose Repair.4. During the Repair, add the BrokerService.exe and the HighAvailabilityService.exe to the exclusion list in Microsoft Windows Defender Pop-up wizard.
5. If Microsoft Windows Defender Wizard does not pop-up automatically during the BrokerService.exe Repair , then follow https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html. to add the exclusions manually.
Workaround 3
Disable/downgrade Microsoft Windows Defender Version.Refer to below Microsoft articles to add exclusions or roll back the update.
https://support.microsoft.com/en-in/help/4052623/update-for-microsoft-defender-antimalware-platform
Ensure Citrix Recommended AV exclusions are in place as per Citrix article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#antivirus-exclusions
Citrix Virtual Apps and Desktop Service
Workaround
Please follow the below steps on all Citrix Cloud Connector machines:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix High Availability Service and the Citrix Configuration Sync service.
Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#cloud-connector
Reboot the Citrix Cloud Connector
Note: If the files for Citrix High Availability Service and the Citrix Configuration Sync service. are no longer present in Windows Defender Quarantined files, then uninstall and reinstall the Citrix Cloud connector.
Problem Cause
Microsoft Windows Defender is detecting Citrix Broker Service as well as H ighAvalabilityService.exe as Trojan and deleting them.
Der DNS Service von Windows Server ist von einer Sicherheitslücke betroffen, die Angreifern ermöglicht wurmartige Viren zu verteilen oder sich erhöhte Rechte zu ergattern.
Heute hat Citrix ein Security Bulletin (CTX276688) veröffentlicht, in dem alle NetScaler und SD-WAN Kunden auf mehrere, teils schwerwiegende Sicherheitslücken aufmerksam gemacht wurden.
Einige Schwachstellen sind nur über die NSIP (Management IP) ausnutzbar, so dass ein Angreifer Zugang zum internen Netzwerk benötigt.
In ungepatchten Versionen sind allerdings auch Schwachstellen vorhanden, welche über die VIP’s angreifbar sind.
Aktuell sind noch keine Exploits bekannt, es wird jedoch allen NetScaler Betreibern geraten, das entsprechende Update schnellstmöglich zu installieren.
Für alle NetScaler Version von 10.5 bis 13.0 stehen bereits abgesicherte Versionen im Downloadbereich von Citrix zur Verfügung:
Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
Citrix SD-WAN WANOP 11.1.1a and later releases
Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
Citrix beschreibt in einem Knowledge Base Artikel, dass alle Workspace App und Receiver Versionen vor 1912 von zwei Sicherheitslücken betroffen sind. Mit diesen kann sich ein Angreifer erhöhte Rechte geben und so das lokale System übernehmen.
Im Folgenden werden diese beiden Lücken genauer beschrieben:
CVE-2020-13884:Citrix Workspace App before 2006.1 on Windows has Insecure Permissions for %PROGRAMDATA%\Citrix (and an unquoted UninstallString), which allows local users to gain privileges by copying a malicious citrix.exe there.
CVE-2020-13885: Citrix Workspace App before 2006.1 on Windows has Insecure Permissions for «%PROGRAMDATA%\Citrix\Citrix Workspace ####\» which allows local users to gain privileges by copying a malicious webio.dll there.
Diese Schwachstellen betreffen nur Windows Clients.
